1/* $NetBSD: qmgr.c,v 1.2 2017/02/14 01:16:47 christos Exp $ */
2
3/*++
4/* NAME
5/* qmgr 8
6/* SUMMARY
7/* Postfix queue manager
8/* SYNOPSIS
9/* \fBqmgr\fR [generic Postfix daemon options]
10/* DESCRIPTION
11/* The \fBqmgr\fR(8) daemon awaits the arrival of incoming mail
12/* and arranges for its delivery via Postfix delivery processes.
13/* The actual mail routing strategy is delegated to the
14/* \fBtrivial-rewrite\fR(8) daemon.
15/* This program expects to be run from the \fBmaster\fR(8) process
16/* manager.
17/*
18/* Mail addressed to the local \fBdouble-bounce\fR address is
19/* logged and discarded. This stops potential loops caused by
20/* undeliverable bounce notifications.
21/* MAIL QUEUES
22/* .ad
23/* .fi
24/* The \fBqmgr\fR(8) daemon maintains the following queues:
25/* .IP \fBincoming\fR
26/* Inbound mail from the network, or mail picked up by the
27/* local \fBpickup\fR(8) daemon from the \fBmaildrop\fR directory.
28/* .IP \fBactive\fR
29/* Messages that the queue manager has opened for delivery. Only
30/* a limited number of messages is allowed to enter the \fBactive\fR
31/* queue (leaky bucket strategy, for a fixed delivery rate).
32/* .IP \fBdeferred\fR
33/* Mail that could not be delivered upon the first attempt. The queue
34/* manager implements exponential backoff by doubling the time between
35/* delivery attempts.
36/* .IP \fBcorrupt\fR
37/* Unreadable or damaged queue files are moved here for inspection.
38/* .IP \fBhold\fR
39/* Messages that are kept "on hold" are kept here until someone
40/* sets them free.
41/* DELIVERY STATUS REPORTS
42/* .ad
43/* .fi
44/* The \fBqmgr\fR(8) daemon keeps an eye on per-message delivery status
45/* reports in the following directories. Each status report file has
46/* the same name as the corresponding message file:
47/* .IP \fBbounce\fR
48/* Per-recipient status information about why mail is bounced.
49/* These files are maintained by the \fBbounce\fR(8) daemon.
50/* .IP \fBdefer\fR
51/* Per-recipient status information about why mail is delayed.
52/* These files are maintained by the \fBdefer\fR(8) daemon.
53/* .IP \fBtrace\fR
54/* Per-recipient status information as requested with the
55/* Postfix "\fBsendmail -v\fR" or "\fBsendmail -bv\fR" command.
56/* These files are maintained by the \fBtrace\fR(8) daemon.
57/* .PP
58/* The \fBqmgr\fR(8) daemon is responsible for asking the
59/* \fBbounce\fR(8), \fBdefer\fR(8) or \fBtrace\fR(8) daemons to
60/* send delivery reports.
61/* STRATEGIES
62/* .ad
63/* .fi
64/* The queue manager implements a variety of strategies for
65/* either opening queue files (input) or for message delivery (output).
66/* .IP "\fBleaky bucket\fR"
67/* This strategy limits the number of messages in the \fBactive\fR queue
68/* and prevents the queue manager from running out of memory under
69/* heavy load.
70/* .IP \fBfairness\fR
71/* When the \fBactive\fR queue has room, the queue manager takes one
72/* message from the \fBincoming\fR queue and one from the \fBdeferred\fR
73/* queue. This prevents a large mail backlog from blocking the delivery
74/* of new mail.
75/* .IP "\fBslow start\fR"
76/* This strategy eliminates "thundering herd" problems by slowly
77/* adjusting the number of parallel deliveries to the same destination.
78/* .IP "\fBround robin\fR"
79/* The queue manager sorts delivery requests by destination.
80/* Round-robin selection prevents one destination from dominating
81/* deliveries to other destinations.
82/* .IP "\fBexponential backoff\fR"
83/* Mail that cannot be delivered upon the first attempt is deferred.
84/* The time interval between delivery attempts is doubled after each
85/* attempt.
86/* .IP "\fBdestination status cache\fR"
87/* The queue manager avoids unnecessary delivery attempts by
88/* maintaining a short-term, in-memory list of unreachable destinations.
89/* .IP "\fBpreemptive message scheduling\fR"
90/* The queue manager attempts to minimize the average per-recipient delay
91/* while still preserving the correct per-message delays, using
92/* a sophisticated preemptive message scheduling.
93/* TRIGGERS
94/* .ad
95/* .fi
96/* On an idle system, the queue manager waits for the arrival of
97/* trigger events, or it waits for a timer to go off. A trigger
98/* is a one-byte message.
99/* Depending on the message received, the queue manager performs
100/* one of the following actions (the message is followed by the
101/* symbolic constant used internally by the software):
102/* .IP "\fBD (QMGR_REQ_SCAN_DEFERRED)\fR"
103/* Start a deferred queue scan. If a deferred queue scan is already
104/* in progress, that scan will be restarted as soon as it finishes.
105/* .IP "\fBI (QMGR_REQ_SCAN_INCOMING)\fR"
106/* Start an incoming queue scan. If an incoming queue scan is already
107/* in progress, that scan will be restarted as soon as it finishes.
108/* .IP "\fBA (QMGR_REQ_SCAN_ALL)\fR"
109/* Ignore deferred queue file time stamps. The request affects
110/* the next deferred queue scan.
111/* .IP "\fBF (QMGR_REQ_FLUSH_DEAD)\fR"
112/* Purge all information about dead transports and destinations.
113/* .IP "\fBW (TRIGGER_REQ_WAKEUP)\fR"
114/* Wakeup call, This is used by the master server to instantiate
115/* servers that should not go away forever. The action is to start
116/* an incoming queue scan.
117/* .PP
118/* The \fBqmgr\fR(8) daemon reads an entire buffer worth of triggers.
119/* Multiple identical trigger requests are collapsed into one, and
120/* trigger requests are sorted so that \fBA\fR and \fBF\fR precede
121/* \fBD\fR and \fBI\fR. Thus, in order to force a deferred queue run,
122/* one would request \fBA F D\fR; in order to notify the queue manager
123/* of the arrival of new mail one would request \fBI\fR.
124/* STANDARDS
125/* RFC 3463 (Enhanced status codes)
126/* RFC 3464 (Delivery status notifications)
127/* SECURITY
128/* .ad
129/* .fi
130/* The \fBqmgr\fR(8) daemon is not security sensitive. It reads
131/* single-character messages from untrusted local users, and thus may
132/* be susceptible to denial of service attacks. The \fBqmgr\fR(8) daemon
133/* does not talk to the outside world, and it can be run at fixed low
134/* privilege in a chrooted environment.
135/* DIAGNOSTICS
136/* Problems and transactions are logged to the syslog daemon.
137/* Corrupted message files are saved to the \fBcorrupt\fR queue
138/* for further inspection.
139/*
140/* Depending on the setting of the \fBnotify_classes\fR parameter,
141/* the postmaster is notified of bounces and of other trouble.
142/* BUGS
143/* A single queue manager process has to compete for disk access with
144/* multiple front-end processes such as \fBcleanup\fR(8). A sudden burst of
145/* inbound mail can negatively impact outbound delivery rates.
146/* CONFIGURATION PARAMETERS
147/* .ad
148/* .fi
149/* Changes to \fBmain.cf\fR are not picked up automatically
150/* as \fBqmgr\fR(8)
151/* is a persistent process. Use the "\fBpostfix reload\fR" command after
152/* a configuration change.
153/*
154/* The text below provides only a parameter summary. See
155/* \fBpostconf\fR(5) for more details including examples.
156/*
157/* In the text below, \fItransport\fR is the first field in a
158/* \fBmaster.cf\fR entry.
159/* COMPATIBILITY CONTROLS
160/* .ad
161/* .fi
162/* Available before Postfix version 2.5:
163/* .IP "\fBallow_min_user (no)\fR"
164/* Allow a sender or recipient address to have `-' as the first
165/* character.
166/* .PP
167/* Available with Postfix version 2.7 and later:
168/* .IP "\fBdefault_filter_nexthop (empty)\fR"
169/* When a content_filter or FILTER request specifies no explicit
170/* next-hop destination, use $default_filter_nexthop instead; when
171/* that value is empty, use the domain in the recipient address.
172/* ACTIVE QUEUE CONTROLS
173/* .ad
174/* .fi
175/* .IP "\fBqmgr_clog_warn_time (300s)\fR"
176/* The minimal delay between warnings that a specific destination is
177/* clogging up the Postfix active queue.
178/* .IP "\fBqmgr_message_active_limit (20000)\fR"
179/* The maximal number of messages in the active queue.
180/* .IP "\fBqmgr_message_recipient_limit (20000)\fR"
181/* The maximal number of recipients held in memory by the Postfix
182/* queue manager, and the maximal size of the short-term,
183/* in-memory "dead" destination status cache.
184/* .IP "\fBqmgr_message_recipient_minimum (10)\fR"
185/* The minimal number of in-memory recipients for any message.
186/* .IP "\fBdefault_recipient_limit (20000)\fR"
187/* The default per-transport upper limit on the number of in-memory
188/* recipients.
189/* .IP "\fItransport\fB_recipient_limit ($default_recipient_limit)\fR"
190/* Idem, for delivery via the named message \fItransport\fR.
191/* .IP "\fBdefault_extra_recipient_limit (1000)\fR"
192/* The default value for the extra per-transport limit imposed on the
193/* number of in-memory recipients.
194/* .IP "\fItransport\fB_extra_recipient_limit ($default_extra_recipient_limit)\fR"
195/* Idem, for delivery via the named message \fItransport\fR.
196/* .PP
197/* Available in Postfix version 2.4 and later:
198/* .IP "\fBdefault_recipient_refill_limit (100)\fR"
199/* The default per-transport limit on the number of recipients refilled at
200/* once.
201/* .IP "\fItransport\fB_recipient_refill_limit ($default_recipient_refill_limit)\fR"
202/* Idem, for delivery via the named message \fItransport\fR.
203/* .IP "\fBdefault_recipient_refill_delay (5s)\fR"
204/* The default per-transport maximum delay between recipients refills.
205/* .IP "\fItransport\fB_recipient_refill_delay ($default_recipient_refill_delay)\fR"
206/* Idem, for delivery via the named message \fItransport\fR.
207/* DELIVERY CONCURRENCY CONTROLS
208/* .ad
209/* .fi
210/* .IP "\fBinitial_destination_concurrency (5)\fR"
211/* The initial per-destination concurrency level for parallel delivery
212/* to the same destination.
213/* .IP "\fBdefault_destination_concurrency_limit (20)\fR"
214/* The default maximal number of parallel deliveries to the same
215/* destination.
216/* .IP "\fItransport\fB_destination_concurrency_limit ($default_destination_concurrency_limit)\fR"
217/* Idem, for delivery via the named message \fItransport\fR.
218/* .PP
219/* Available in Postfix version 2.5 and later:
220/* .IP "\fItransport\fB_initial_destination_concurrency ($initial_destination_concurrency)\fR"
221/* Initial concurrency for delivery via the named message
222/* \fItransport\fR.
223/* .IP "\fBdefault_destination_concurrency_failed_cohort_limit (1)\fR"
224/* How many pseudo-cohorts must suffer connection or handshake
225/* failure before a specific destination is considered unavailable
226/* (and further delivery is suspended).
227/* .IP "\fItransport\fB_destination_concurrency_failed_cohort_limit ($default_destination_concurrency_failed_cohort_limit)\fR"
228/* Idem, for delivery via the named message \fItransport\fR.
229/* .IP "\fBdefault_destination_concurrency_negative_feedback (1)\fR"
230/* The per-destination amount of delivery concurrency negative
231/* feedback, after a delivery completes with a connection or handshake
232/* failure.
233/* .IP "\fItransport\fB_destination_concurrency_negative_feedback ($default_destination_concurrency_negative_feedback)\fR"
234/* Idem, for delivery via the named message \fItransport\fR.
235/* .IP "\fBdefault_destination_concurrency_positive_feedback (1)\fR"
236/* The per-destination amount of delivery concurrency positive
237/* feedback, after a delivery completes without connection or handshake
238/* failure.
239/* .IP "\fItransport\fB_destination_concurrency_positive_feedback ($default_destination_concurrency_positive_feedback)\fR"
240/* Idem, for delivery via the named message \fItransport\fR.
241/* .IP "\fBdestination_concurrency_feedback_debug (no)\fR"
242/* Make the queue manager's feedback algorithm verbose for performance
243/* analysis purposes.
244/* RECIPIENT SCHEDULING CONTROLS
245/* .ad
246/* .fi
247/* .IP "\fBdefault_destination_recipient_limit (50)\fR"
248/* The default maximal number of recipients per message delivery.
249/* .IP "\fItransport\fB_destination_recipient_limit ($default_destination_recipient_limit)\fR"
250/* Idem, for delivery via the named message \fItransport\fR.
251/* MESSAGE SCHEDULING CONTROLS
252/* .ad
253/* .fi
254/* .IP "\fBdefault_delivery_slot_cost (5)\fR"
255/* How often the Postfix queue manager's scheduler is allowed to
256/* preempt delivery of one message with another.
257/* .IP "\fItransport\fB_delivery_slot_cost ($default_delivery_slot_cost)\fR"
258/* Idem, for delivery via the named message \fItransport\fR.
259/* .IP "\fBdefault_minimum_delivery_slots (3)\fR"
260/* How many recipients a message must have in order to invoke the
261/* Postfix queue manager's scheduling algorithm at all.
262/* .IP "\fItransport\fB_minimum_delivery_slots ($default_minimum_delivery_slots)\fR"
263/* Idem, for delivery via the named message \fItransport\fR.
264/* .IP "\fBdefault_delivery_slot_discount (50)\fR"
265/* The default value for transport-specific _delivery_slot_discount
266/* settings.
267/* .IP "\fItransport\fB_delivery_slot_discount ($default_delivery_slot_discount)\fR"
268/* Idem, for delivery via the named message \fItransport\fR.
269/* .IP "\fBdefault_delivery_slot_loan (3)\fR"
270/* The default value for transport-specific _delivery_slot_loan
271/* settings.
272/* .IP "\fItransport\fB_delivery_slot_loan ($default_delivery_slot_loan)\fR"
273/* Idem, for delivery via the named message \fItransport\fR.
274/* OTHER RESOURCE AND RATE CONTROLS
275/* .ad
276/* .fi
277/* .IP "\fBminimal_backoff_time (300s)\fR"
278/* The minimal time between attempts to deliver a deferred message;
279/* prior to Postfix 2.4 the default value was 1000s.
280/* .IP "\fBmaximal_backoff_time (4000s)\fR"
281/* The maximal time between attempts to deliver a deferred message.
282/* .IP "\fBmaximal_queue_lifetime (5d)\fR"
283/* Consider a message as undeliverable, when delivery fails with a
284/* temporary error, and the time in the queue has reached the
285/* maximal_queue_lifetime limit.
286/* .IP "\fBqueue_run_delay (300s)\fR"
287/* The time between deferred queue scans by the queue manager;
288/* prior to Postfix 2.4 the default value was 1000s.
289/* .IP "\fBtransport_retry_time (60s)\fR"
290/* The time between attempts by the Postfix queue manager to contact
291/* a malfunctioning message delivery transport.
292/* .PP
293/* Available in Postfix version 2.1 and later:
294/* .IP "\fBbounce_queue_lifetime (5d)\fR"
295/* Consider a bounce message as undeliverable, when delivery fails
296/* with a temporary error, and the time in the queue has reached the
297/* bounce_queue_lifetime limit.
298/* .PP
299/* Available in Postfix version 2.5 and later:
300/* .IP "\fBdefault_destination_rate_delay (0s)\fR"
301/* The default amount of delay that is inserted between individual
302/* deliveries to the same destination; the resulting behavior depends
303/* on the value of the corresponding per-destination recipient limit.
304/* .IP "\fItransport\fB_destination_rate_delay $default_destination_rate_delay\fR"
305/* Idem, for delivery via the named message \fItransport\fR.
306/* .PP
307/* Available in Postfix version 3.1 and later:
308/* .IP "\fBdefault_transport_rate_delay (0s)\fR"
309/* The default amount of delay that is inserted between individual
310/* deliveries over the same message delivery transport, regardless of
311/* destination.
312/* .IP "\fItransport\fB_transport_rate_delay $default_transport_rate_delay\fR"
313/* Idem, for delivery via the named message \fItransport\fR.
314/* SAFETY CONTROLS
315/* .ad
316/* .fi
317/* .IP "\fBqmgr_daemon_timeout (1000s)\fR"
318/* How much time a Postfix queue manager process may take to handle
319/* a request before it is terminated by a built-in watchdog timer.
320/* .IP "\fBqmgr_ipc_timeout (60s)\fR"
321/* The time limit for the queue manager to send or receive information
322/* over an internal communication channel.
323/* .PP
324/* Available in Postfix version 3.1 and later:
325/* .IP "\fBaddress_verify_pending_request_limit (see 'postconf -d' output)\fR"
326/* A safety limit that prevents address verification requests from
327/* overwhelming the Postfix queue.
328/* MISCELLANEOUS CONTROLS
329/* .ad
330/* .fi
331/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
332/* The default location of the Postfix main.cf and master.cf
333/* configuration files.
334/* .IP "\fBdefer_transports (empty)\fR"
335/* The names of message delivery transports that should not deliver mail
336/* unless someone issues "\fBsendmail -q\fR" or equivalent.
337/* .IP "\fBdelay_logging_resolution_limit (2)\fR"
338/* The maximal number of digits after the decimal point when logging
339/* sub-second delay values.
340/* .IP "\fBhelpful_warnings (yes)\fR"
341/* Log warnings about problematic configuration settings, and provide
342/* helpful suggestions.
343/* .IP "\fBprocess_id (read-only)\fR"
344/* The process ID of a Postfix command or daemon process.
345/* .IP "\fBprocess_name (read-only)\fR"
346/* The process name of a Postfix command or daemon process.
347/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
348/* The location of the Postfix top-level queue directory.
349/* .IP "\fBsyslog_facility (mail)\fR"
350/* The syslog facility of Postfix logging.
351/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
352/* The mail system name that is prepended to the process name in syslog
353/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
354/* .PP
355/* Available in Postfix version 3.0 and later:
356/* .IP "\fBconfirm_delay_cleared (no)\fR"
357/* After sending a "your message is delayed" notification, inform
358/* the sender when the delay clears up.
359/* FILES
360/* /var/spool/postfix/incoming, incoming queue
361/* /var/spool/postfix/active, active queue
362/* /var/spool/postfix/deferred, deferred queue
363/* /var/spool/postfix/bounce, non-delivery status
364/* /var/spool/postfix/defer, non-delivery status
365/* /var/spool/postfix/trace, delivery status
366/* SEE ALSO
367/* trivial-rewrite(8), address routing
368/* bounce(8), delivery status reports
369/* postconf(5), configuration parameters
370/* master(5), generic daemon options
371/* master(8), process manager
372/* syslogd(8), system logging
373/* README FILES
374/* .ad
375/* .fi
376/* Use "\fBpostconf readme_directory\fR" or
377/* "\fBpostconf html_directory\fR" to locate this information.
378/* .na
379/* .nf
380/* SCHEDULER_README, scheduling algorithm
381/* QSHAPE_README, Postfix queue analysis
382/* LICENSE
383/* .ad
384/* .fi
385/* The Secure Mailer license must be distributed with this software.
386/* AUTHOR(S)
387/* Wietse Venema
388/* IBM T.J. Watson Research
389/* P.O. Box 704
390/* Yorktown Heights, NY 10598, USA
391/*
392/* Preemptive scheduler enhancements:
393/* Patrik Rak
394/* Modra 6
395/* 155 00, Prague, Czech Republic
396/*
397/* Wietse Venema
398/* Google, Inc.
399/* 111 8th Avenue
400/* New York, NY 10011, USA
401/*--*/
402
403/* System library. */
404
405#include <sys_defs.h>
406#include <stdlib.h>
407#include <unistd.h>
408#include <ctype.h>
409
410/* Utility library. */
411
412#include <msg.h>
413#include <events.h>
414#include <vstream.h>
415#include <dict.h>
416
417/* Global library. */
418
419#include <mail_queue.h>
420#include <recipient_list.h>
421#include <mail_conf.h>
422#include <mail_params.h>
423#include <mail_version.h>
424#include <mail_proto.h> /* QMGR_SCAN constants */
425#include <mail_flow.h>
426#include <flush_clnt.h>
427
428/* Master process interface */
429
430#include <master_proto.h>
431#include <mail_server.h>
432
433/* Application-specific. */
434
435#include "qmgr.h"
436
437 /*
438 * Tunables.
439 */
440int var_queue_run_delay;
441int var_min_backoff_time;
442int var_max_backoff_time;
443int var_max_queue_time;
444int var_dsn_queue_time;
445int var_qmgr_active_limit;
446int var_qmgr_rcpt_limit;
447int var_qmgr_msg_rcpt_limit;
448int var_xport_rcpt_limit;
449int var_stack_rcpt_limit;
450int var_xport_refill_limit;
451int var_xport_refill_delay;
452int var_delivery_slot_cost;
453int var_delivery_slot_loan;
454int var_delivery_slot_discount;
455int var_min_delivery_slots;
456int var_init_dest_concurrency;
457int var_transport_retry_time;
458int var_dest_con_limit;
459int var_dest_rcpt_limit;
460char *var_defer_xports;
461int var_local_con_lim;
462int var_local_rcpt_lim;
463bool var_verp_bounce_off;
464int var_qmgr_clog_warn_time;
465char *var_conc_pos_feedback;
466char *var_conc_neg_feedback;
467int var_conc_cohort_limit;
468int var_conc_feedback_debug;
469int var_xport_rate_delay;
470int var_dest_rate_delay;
471char *var_def_filter_nexthop;
472int var_qmgr_daemon_timeout;
473int var_qmgr_ipc_timeout;
474int var_dsn_delay_cleared;
475int var_vrfy_pend_limit;
476
477static QMGR_SCAN *qmgr_scans[2];
478
479#define QMGR_SCAN_IDX_INCOMING 0
480#define QMGR_SCAN_IDX_DEFERRED 1
481#define QMGR_SCAN_IDX_COUNT (sizeof(qmgr_scans) / sizeof(qmgr_scans[0]))
482
483/* qmgr_deferred_run_event - queue manager heartbeat */
484
485static void qmgr_deferred_run_event(int unused_event, void *dummy)
486{
487
488 /*
489 * This routine runs when it is time for another deferred queue scan.
490 * Make sure this routine gets called again in the future.
491 */
492 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_DEFERRED], QMGR_SCAN_START);
493 event_request_timer(qmgr_deferred_run_event, dummy, var_queue_run_delay);
494}
495
496/* qmgr_trigger_event - respond to external trigger(s) */
497
498static void qmgr_trigger_event(char *buf, ssize_t len,
499 char *unused_service, char **argv)
500{
501 int incoming_flag = 0;
502 int deferred_flag = 0;
503 int i;
504
505 /*
506 * Sanity check. This service takes no command-line arguments.
507 */
508 if (argv[0])
509 msg_fatal("unexpected command-line argument: %s", argv[0]);
510
511 /*
512 * Collapse identical requests that have arrived since we looked last
513 * time. There is no client feedback so there is no need to process each
514 * request in order. And as long as we don't have conflicting requests we
515 * are free to sort them into the most suitable order.
516 */
517#define QMGR_FLUSH_BEFORE (QMGR_FLUSH_ONCE | QMGR_FLUSH_DFXP)
518
519 for (i = 0; i < len; i++) {
520 if (msg_verbose)
521 msg_info("request: %d (%c)",
522 buf[i], ISALNUM(buf[i]) ? buf[i] : '?');
523 switch (buf[i]) {
524 case TRIGGER_REQ_WAKEUP:
525 case QMGR_REQ_SCAN_INCOMING:
526 incoming_flag |= QMGR_SCAN_START;
527 break;
528 case QMGR_REQ_SCAN_DEFERRED:
529 deferred_flag |= QMGR_SCAN_START;
530 break;
531 case QMGR_REQ_FLUSH_DEAD:
532 deferred_flag |= QMGR_FLUSH_BEFORE;
533 incoming_flag |= QMGR_FLUSH_BEFORE;
534 break;
535 case QMGR_REQ_SCAN_ALL:
536 deferred_flag |= QMGR_SCAN_ALL;
537 incoming_flag |= QMGR_SCAN_ALL;
538 break;
539 default:
540 if (msg_verbose)
541 msg_info("request ignored");
542 break;
543 }
544 }
545
546 /*
547 * Process each request type at most once. Modifiers take effect upon the
548 * next queue run. If no queue run is in progress, and a queue scan is
549 * requested, the request takes effect immediately.
550 */
551 if (incoming_flag != 0)
552 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_INCOMING], incoming_flag);
553 if (deferred_flag != 0)
554 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_DEFERRED], deferred_flag);
555}
556
557/* qmgr_loop - queue manager main loop */
558
559static int qmgr_loop(char *unused_name, char **unused_argv)
560{
561 char *path;
562 ssize_t token_count;
563 int feed = 0;
564 int scan_idx; /* Priority order scan index */
565 static int first_scan_idx = QMGR_SCAN_IDX_INCOMING;
566 int last_scan_idx = QMGR_SCAN_IDX_COUNT - 1;
567 int delay;
568
569 /*
570 * This routine runs as part of the event handling loop, after the event
571 * manager has delivered a timer or I/O event (including the completion
572 * of a connection to a delivery process), or after it has waited for a
573 * specified amount of time. The result value of qmgr_loop() specifies
574 * how long the event manager should wait for the next event.
575 */
576#define DONT_WAIT 0
577#define WAIT_FOR_EVENT (-1)
578
579 /*
580 * Attempt to drain the active queue by allocating a suitable delivery
581 * process and by delivering mail via it. Delivery process allocation and
582 * mail delivery are asynchronous.
583 */
584 qmgr_active_drain();
585
586 /*
587 * Let some new blood into the active queue when the queue size is
588 * smaller than some configurable limit.
589 *
590 * We import one message per interrupt, to optimally tune the input count
591 * for the number of delivery agent protocol wait states, as explained in
592 * qmgr_transport.c.
593 */
594 delay = WAIT_FOR_EVENT;
595 for (scan_idx = 0; qmgr_message_count < var_qmgr_active_limit
596 && scan_idx < QMGR_SCAN_IDX_COUNT; ++scan_idx) {
597 last_scan_idx = (scan_idx + first_scan_idx) % QMGR_SCAN_IDX_COUNT;
598 if ((path = qmgr_scan_next(qmgr_scans[last_scan_idx])) != 0) {
599 delay = DONT_WAIT;
600 if ((feed = qmgr_active_feed(qmgr_scans[last_scan_idx], path)) != 0)
601 break;
602 }
603 }
604
605 /*
606 * Round-robin the queue scans. When the active queue becomes full,
607 * prefer new mail over deferred mail.
608 */
609 if (qmgr_message_count < var_qmgr_active_limit) {
610 first_scan_idx = (last_scan_idx + 1) % QMGR_SCAN_IDX_COUNT;
611 } else if (first_scan_idx != QMGR_SCAN_IDX_INCOMING) {
612 first_scan_idx = QMGR_SCAN_IDX_INCOMING;
613 }
614
615 /*
616 * Global flow control. If enabled, slow down receiving processes that
617 * get ahead of the queue manager, but don't block them completely.
618 */
619 if (var_in_flow_delay > 0) {
620 token_count = mail_flow_count();
621 if (token_count < var_proc_limit) {
622 if (feed != 0 && last_scan_idx == QMGR_SCAN_IDX_INCOMING)
623 mail_flow_put(1);
624 else if (qmgr_scans[QMGR_SCAN_IDX_INCOMING]->handle == 0)
625 mail_flow_put(var_proc_limit - token_count);
626 } else if (token_count > var_proc_limit) {
627 mail_flow_get(token_count - var_proc_limit);
628 }
629 }
630 return (delay);
631}
632
633/* pre_accept - see if tables have changed */
634
635static void pre_accept(char *unused_name, char **unused_argv)
636{
637 const char *table;
638
639 if ((table = dict_changed_name()) != 0) {
640 msg_info("table %s has changed -- restarting", table);
641 exit(0);
642 }
643}
644
645/* qmgr_pre_init - pre-jail initialization */
646
647static void qmgr_pre_init(char *unused_name, char **unused_argv)
648{
649 flush_init();
650}
651
652/* qmgr_post_init - post-jail initialization */
653
654static void qmgr_post_init(char *name, char **unused_argv)
655{
656
657 /*
658 * Backwards compatibility.
659 */
660 if (strcmp(var_procname, "nqmgr") == 0) {
661 msg_warn("please update the %s/%s file; the new queue manager",
662 var_config_dir, MASTER_CONF_FILE);
663 msg_warn("(old name: nqmgr) has become the standard queue manager (new name: qmgr)");
664 msg_warn("support for the name old name (nqmgr) will be removed from Postfix");
665 }
666
667 /*
668 * Sanity check.
669 */
670 if (var_qmgr_rcpt_limit < var_qmgr_active_limit) {
671 msg_warn("%s is smaller than %s - adjusting %s",
672 VAR_QMGR_RCPT_LIMIT, VAR_QMGR_ACT_LIMIT, VAR_QMGR_RCPT_LIMIT);
673 var_qmgr_rcpt_limit = var_qmgr_active_limit;
674 }
675 if (var_dsn_queue_time > var_max_queue_time) {
676 msg_warn("%s is larger than %s - adjusting %s",
677 VAR_DSN_QUEUE_TIME, VAR_MAX_QUEUE_TIME, VAR_DSN_QUEUE_TIME);
678 var_dsn_queue_time = var_max_queue_time;
679 }
680
681 /*
682 * This routine runs after the skeleton code has entered the chroot jail.
683 * Prevent automatic process suicide after a limited number of client
684 * requests or after a limited amount of idle time. Move any left-over
685 * entries from the active queue to the incoming queue, and give them a
686 * time stamp into the future, in order to allow ongoing deliveries to
687 * finish first. Start scanning the incoming and deferred queues.
688 * Left-over active queue entries are moved to the incoming queue because
689 * the incoming queue has priority; moving left-overs to the deferred
690 * queue could cause anomalous delays when "postfix reload/start" are
691 * issued often. Override the IPC timeout (default 3600s) so that the
692 * queue manager can reset a broken IPC channel before the watchdog timer
693 * goes off.
694 */
695 var_ipc_timeout = var_qmgr_ipc_timeout;
696 var_use_limit = 0;
697 var_idle_limit = 0;
698 qmgr_move(MAIL_QUEUE_ACTIVE, MAIL_QUEUE_INCOMING, event_time());
699 qmgr_scans[QMGR_SCAN_IDX_INCOMING] = qmgr_scan_create(MAIL_QUEUE_INCOMING);
700 qmgr_scans[QMGR_SCAN_IDX_DEFERRED] = qmgr_scan_create(MAIL_QUEUE_DEFERRED);
701 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_INCOMING], QMGR_SCAN_START);
702 qmgr_deferred_run_event(0, (void *) 0);
703}
704
705MAIL_VERSION_STAMP_DECLARE;
706
707/* main - the main program */
708
709int main(int argc, char **argv)
710{
711 static const CONFIG_STR_TABLE str_table[] = {
712 VAR_DEFER_XPORTS, DEF_DEFER_XPORTS, &var_defer_xports, 0, 0,
713 VAR_CONC_POS_FDBACK, DEF_CONC_POS_FDBACK, &var_conc_pos_feedback, 1, 0,
714 VAR_CONC_NEG_FDBACK, DEF_CONC_NEG_FDBACK, &var_conc_neg_feedback, 1, 0,
715 VAR_DEF_FILTER_NEXTHOP, DEF_DEF_FILTER_NEXTHOP, &var_def_filter_nexthop, 0, 0,
716 0,
717 };
718 static const CONFIG_TIME_TABLE time_table[] = {
719 VAR_QUEUE_RUN_DELAY, DEF_QUEUE_RUN_DELAY, &var_queue_run_delay, 1, 0,
720 VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
721 VAR_MAX_BACKOFF_TIME, DEF_MAX_BACKOFF_TIME, &var_max_backoff_time, 1, 0,
722 VAR_MAX_QUEUE_TIME, DEF_MAX_QUEUE_TIME, &var_max_queue_time, 0, 8640000,
723 VAR_DSN_QUEUE_TIME, DEF_DSN_QUEUE_TIME, &var_dsn_queue_time, 0, 8640000,
724 VAR_XPORT_RETRY_TIME, DEF_XPORT_RETRY_TIME, &var_transport_retry_time, 1, 0,
725 VAR_QMGR_CLOG_WARN_TIME, DEF_QMGR_CLOG_WARN_TIME, &var_qmgr_clog_warn_time, 0, 0,
726 VAR_XPORT_REFILL_DELAY, DEF_XPORT_REFILL_DELAY, &var_xport_refill_delay, 1, 0,
727 VAR_XPORT_RATE_DELAY, DEF_XPORT_RATE_DELAY, &var_xport_rate_delay, 0, 0,
728 VAR_DEST_RATE_DELAY, DEF_DEST_RATE_DELAY, &var_dest_rate_delay, 0, 0,
729 VAR_QMGR_DAEMON_TIMEOUT, DEF_QMGR_DAEMON_TIMEOUT, &var_qmgr_daemon_timeout, 1, 0,
730 VAR_QMGR_IPC_TIMEOUT, DEF_QMGR_IPC_TIMEOUT, &var_qmgr_ipc_timeout, 1, 0,
731 0,
732 };
733 static const CONFIG_INT_TABLE int_table[] = {
734 VAR_QMGR_ACT_LIMIT, DEF_QMGR_ACT_LIMIT, &var_qmgr_active_limit, 1, 0,
735 VAR_QMGR_RCPT_LIMIT, DEF_QMGR_RCPT_LIMIT, &var_qmgr_rcpt_limit, 1, 0,
736 VAR_QMGR_MSG_RCPT_LIMIT, DEF_QMGR_MSG_RCPT_LIMIT, &var_qmgr_msg_rcpt_limit, 1, 0,
737 VAR_XPORT_RCPT_LIMIT, DEF_XPORT_RCPT_LIMIT, &var_xport_rcpt_limit, 0, 0,
738 VAR_STACK_RCPT_LIMIT, DEF_STACK_RCPT_LIMIT, &var_stack_rcpt_limit, 0, 0,
739 VAR_XPORT_REFILL_LIMIT, DEF_XPORT_REFILL_LIMIT, &var_xport_refill_limit, 1, 0,
740 VAR_DELIVERY_SLOT_COST, DEF_DELIVERY_SLOT_COST, &var_delivery_slot_cost, 0, 0,
741 VAR_DELIVERY_SLOT_LOAN, DEF_DELIVERY_SLOT_LOAN, &var_delivery_slot_loan, 0, 0,
742 VAR_DELIVERY_SLOT_DISCOUNT, DEF_DELIVERY_SLOT_DISCOUNT, &var_delivery_slot_discount, 0, 100,
743 VAR_MIN_DELIVERY_SLOTS, DEF_MIN_DELIVERY_SLOTS, &var_min_delivery_slots, 0, 0,
744 VAR_INIT_DEST_CON, DEF_INIT_DEST_CON, &var_init_dest_concurrency, 1, 0,
745 VAR_DEST_CON_LIMIT, DEF_DEST_CON_LIMIT, &var_dest_con_limit, 0, 0,
746 VAR_DEST_RCPT_LIMIT, DEF_DEST_RCPT_LIMIT, &var_dest_rcpt_limit, 0, 0,
747 VAR_LOCAL_RCPT_LIMIT, DEF_LOCAL_RCPT_LIMIT, &var_local_rcpt_lim, 0, 0,
748 VAR_LOCAL_CON_LIMIT, DEF_LOCAL_CON_LIMIT, &var_local_con_lim, 0, 0,
749 VAR_CONC_COHORT_LIM, DEF_CONC_COHORT_LIM, &var_conc_cohort_limit, 0, 0,
750 VAR_VRFY_PEND_LIMIT, DEF_VRFY_PEND_LIMIT, &var_vrfy_pend_limit, 1, 0,
751 0,
752 };
753 static const CONFIG_BOOL_TABLE bool_table[] = {
754 VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off,
755 VAR_CONC_FDBACK_DEBUG, DEF_CONC_FDBACK_DEBUG, &var_conc_feedback_debug,
756 VAR_DSN_DELAY_CLEARED, DEF_DSN_DELAY_CLEARED, &var_dsn_delay_cleared,
757 0,
758 };
759
760 /*
761 * Fingerprint executables and core dumps.
762 */
763 MAIL_VERSION_STAMP_ALLOCATE;
764
765 /*
766 * Use the trigger service skeleton, because no-one else should be
767 * monitoring our service port while this process runs, and because we do
768 * not talk back to the client.
769 */
770 trigger_server_main(argc, argv, qmgr_trigger_event,
771 CA_MAIL_SERVER_INT_TABLE(int_table),
772 CA_MAIL_SERVER_STR_TABLE(str_table),
773 CA_MAIL_SERVER_BOOL_TABLE(bool_table),
774 CA_MAIL_SERVER_TIME_TABLE(time_table),
775 CA_MAIL_SERVER_PRE_INIT(qmgr_pre_init),
776 CA_MAIL_SERVER_POST_INIT(qmgr_post_init),
777 CA_MAIL_SERVER_LOOP(qmgr_loop),
778 CA_MAIL_SERVER_PRE_ACCEPT(pre_accept),
779 CA_MAIL_SERVER_SOLITARY,
780 CA_MAIL_SERVER_WATCHDOG(&var_qmgr_daemon_timeout),
781 0);
782}
783